WP Charged Blog

Patch rolled out for WordPress 4.9.6 file deletion vulnerability

Update: A week after the disclosure WordPress has released a patch in 4.9.7 to address this security issue

A recently disclosed vulnerability by RIPSTech shows how an attacker could gain full access to a WordPress website. While it does require an authenticated user to carry out the attack it would be possible to take full control of a WordPress website by only having the Author role (or any role that can manage uploaded media). By design, authors should only be able to delete files added to the media library, and not core WordPress files.

Who is affected?

Despite WordPress being notified of this vulnerability 7 months ago, there is still no patch as of the current WordPress version 4.9.6 (now fixed in 4.9.7). However there is hotfix created by RIPSTech which we have pushed out to all WordPress websites hosted at WP Charged, in order to secure users against this potential threat.

What is the vulnerability and how can it be used?

WordPress allows the filename of a thumbnail image that’s stored in the database to be edited by authenticated users, by issuing a simple POST request to the attachment page. An attacker could therefore replace the default thumbnail filename with the path to any other file located on the WordPress installation. As WordPress deletes all thumbnail versions with the original image on deletion, all the attacker would need to is to delete the image in the media library to have their specified file deleted.

The following files could be deleted by an attacker to gain access to the greater WordPress install: